Design

The PHOTON-n/r/r' variants can be defined with its internal parameters:

n: the bitsize of the hash output

t: the bitsize of the internal state (we have t = c + r), which is also the size of the internal permutation P

c: the bitsize of the capacity part of the internal state

r: the bitsize of the bitrate part of the internal state (or the message block bitsize)

d: the number of cell columns and rows in the internal permutation

s: the bitsize of one cell in the internal permutation

Internal

Permutation

t

n

c

r

r'

d

s

PHOTON-80/20/16

P100

100

80

80

20

16

5

4

PHOTON-128/16/16

P144

144

128

128

16

16

6

4

PHOTON-160/36/36

P196

196

160

160

36

36

7

4

PHOTON-224/32/32

P256

256

224

224

32

32

8

4

PHOTON-256/32/32

P288

288

256

256

32

32

6

8

The Domain Extension Algorithm

The domain extension algorithm of PHOTON is largely inspired from the sponge functions framework introduced by Bertoni et al. in 2007. The t-bit internal state, composed of c bits of capacity and r bits of bitrate, is first initialized with an initial value and the message to hash (after padding) is divided into r-bit blocks. Then, during the absorbing phase, each of these message blocks are successively incorporated into the internal state before applying an internal permutation P. Once all message blocks have been handled, r' bits of the internal state are successively extracted before applying the internal permutation P during the squeezing phase, until the right amont n of output bits have been reached.

Note that compared to the classical sponge functions framework, we allow the output bitrate to be distinct from the input one, in order to provide interesting trade-offs.

The Internal Permutations

The internal permutation of PHOTON is largely inspired from the Advanced Encryption Cipher (AES) structure. Namely, the internal state can be viewed as a (d.d) matrix of s-bit cells. One round applies four functions:

AddConstants: this function applies round-dependant constants to each cell of the first column.

SubCells: this function applies the s-bit Sbox to every cell of the internal state. We chose to use the very small 4-bit Present cipher Sbox for P100, P144, P196 and P256, while the 8-bit AES Sbox was prefered for P288.

ShiftRows: this function simply rotates each cell located at row i by i positions to the left.

MixColumnsSerial: this function updates linearly all columns independently. The matrix underlying the MixColumnsSerial layer is Maximum Distance Separable (MDS) so as to provide maximal diffusion. However, this matrix can be applied on a serial manner, cell by cell, with very efficient coefficients for hardware implementation.